diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index c4fb00e..5e66b8a 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -37,6 +37,7 @@ jobs:
       name: pypi
       url: https://pypi.org/p/blm
     permissions:
+      contents: read
       id-token: write  # mandatory for trusted publishing
     steps:
       - name: Download all distributions
@@ -46,3 +47,5 @@ jobs:
           path: dist/
       - name: Publish distributions to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          password: ${{ secrets.PYPI_API_TOKEN }}  # allegedly deprecated